CVE-2025-47287: Tornado vulnerable to excessive logging caused by malformed multipart form data
(updated )
When Tornado’s multipart/form-data parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous.
References
- github.com/advisories/GHSA-7cx3-6m66-7c5m
- github.com/tornadoweb/tornado
- github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3
- github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m
- lists.debian.org/debian-lts-announce/2025/05/msg00038.html
- nvd.nist.gov/vuln/detail/CVE-2025-47287
Code Behaviors & Features
Detect and mitigate CVE-2025-47287 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →